From c90b4e6fcd3d5123c588640436b811e9a95d345c Mon Sep 17 00:00:00 2001 From: Breno Silva Date: Mon, 10 Aug 2009 21:34:37 -0300 Subject: [PATCH 1/3] Decode event rule --- src/Makefile.am | 1 + src/detect-decode-event.c | 337 ++++++++++++++++++++++++++++++++++++++ src/detect-decode-event.h | 55 +++++++ src/detect-parse.c | 6 +- src/detect.c | 8 + src/detect.h | 2 +- src/eidps.c | 5 +- 7 files changed, 408 insertions(+), 6 deletions(-) create mode 100644 src/detect-decode-event.c create mode 100644 src/detect-decode-event.h diff --git a/src/Makefile.am b/src/Makefile.am index b069823974..ee00e8bcf2 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -58,6 +58,7 @@ detect-metadata.c detect-metadata.h \ detect-msg.c detect-msg.h \ detect-flow.c detect-flow.h \ detect-dsize.c detect-dsize.h \ +detect-decode-event.c detect-decode-event.h \ detect-noalert.c detect-noalert.h \ util-print.c util-print.h \ util-mpm.c util-mpm.h \ diff --git a/src/detect-decode-event.c b/src/detect-decode-event.c new file mode 100644 index 0000000000..716806da44 --- /dev/null +++ b/src/detect-decode-event.c @@ -0,0 +1,337 @@ +/** Copyright (c) 2009 Open Information Security Foundation + * + * \author Breno Silva + */ + + +#include "decode.h" +#include "detect.h" +#include "flow-var.h" + +#include "eidps.h" + +#include "decode-events.h" +#include "detect-decode-event.h" + +#include "util-unittest.h" + +#include +#include + +/* XXX VJ stricter regex */ +#define PARSE_REGEX "\\S[0-9A-z_]+[.][A-z+]+$" + +static pcre *parse_regex; +static pcre_extra *parse_regex_study; + +int DetectDecodeEventMatch (ThreadVars *, PatternMatcherThread *, Packet *, Signature *, SigMatch *); +int DetectDecodeEventSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *str); +void DecodeEventRegisterTests(void); + + +/** + * \brief Registration function for decode-event: keyword + */ + +void DetectDecodeEventRegister (void) { + sigmatch_table[DETECT_DECODE_EVENT].name = "decode-event"; + sigmatch_table[DETECT_DECODE_EVENT].Match = DetectDecodeEventMatch; + sigmatch_table[DETECT_DECODE_EVENT].Setup = DetectDecodeEventSetup; + sigmatch_table[DETECT_DECODE_EVENT].Free = NULL; + sigmatch_table[DETECT_DECODE_EVENT].RegisterTests = DecodeEventRegisterTests; + + const char *eb; + int eo; + int opts = 0; + + parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL); + if(parse_regex == NULL) + { + printf("pcre compile of \"%s\" failed at offset %d: %s\n", PARSE_REGEX, eo, eb); + goto error; + } + + parse_regex_study = pcre_study(parse_regex, 0, &eb); + if(eb != NULL) + { + printf("pcre study failed: %s\n", eb); + goto error; + } + return; + +error: + return; + +} + +/** + * \brief This function is used to match decoder event flags set on a packet with those passed via decode-event: + * + * \param t pointer to thread vars + * \param pmt pointer to the pattern matcher thread + * \param p pointer to the current packet + * \param s pointer to the Signature + * \param m pointer to the sigmatch + * + * \retval 0 no match + * \retval 1 match + */ + + +int DetectDecodeEventMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m) +{ + int ret = 0; + + DetectDecodeEventData *de = (DetectDecodeEventData *)m->ctx; + + if(de && DECODER_ISSET_EVENT(p, de->event)) + return 1; + + return ret; +} + +/** + * \brief This function is used to parse decoder events options passed via decode-event: keyword + * + * \param rawstr Pointer to the user provided decode-event options + * + * \retval de pointer to DetectFlowData on success + * \retval NULL on failure + */ + + +DetectDecodeEventData *DetectDecodeEventParse (char *rawstr) +{ + + int i; + DetectDecodeEventData *de = NULL; +#define MAX_SUBSTRINGS 30 + int ret = 0, res = 0, found = 0; + int ov[MAX_SUBSTRINGS]; + + + ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS); + + if (ret < 1) { + goto error; + } + + const char *str_ptr; + + res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 0, &str_ptr); + + if (res < 0) { + goto error; + } + + + for(i=0; DEvents[i].event_name != NULL; i++) { + if((strncasecmp(DEvents[i].event_name,str_ptr,strlen(DEvents[i].event_name))) == 0) { + found = 1; + break; + } + } + + + if(found == 0) + goto error; + + de = malloc(sizeof(DetectDecodeEventData)); + + if (de == NULL) { + printf("DetectDecodeEventSetup malloc failed\n"); + goto error; + } + + de->event = DEvents[i].code; + return de; + +error: + if (de) free(de); + return NULL; +} + +/** + * \brief this function is used to add the parsed decode-event into the current signature + * + * \param de_ctx pointer to the Detection Engine Context + * \param s pointer to the Current Signature + * \param m pointer to the Current SigMatch + * \param rawstr pointer to the user provided decode-event options + * + * \retval 0 on Success + * \retval -1 on Failure + */ + + +int DetectDecodeEventSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) +{ + DetectDecodeEventData *de = NULL; + SigMatch *sm = NULL; + + de = DetectDecodeEventParse(rawstr); + if (de == NULL) + goto error; + + sm = SigMatchAlloc(); + if (sm == NULL) + goto error; + + sm->type = DETECT_DECODE_EVENT; + sm->ctx = (void *)de; + + SigMatchAppend(s,m,sm); + return 0; + +error: + if (de) free(de); + if (sm) free(sm); + return -1; + + return 0; +} + +/** + * \brief this function will free memory associated with DetectDecodeEventData + * + * \param de pointer to DetectDecodeEventData + */ + + +void DetectDecodeEventFree(DetectDecodeEventData *de) { + if(de) free(de); +} + +/* + * ONLY TESTS BELOW THIS COMMENT + */ + +/** + * \test DecodeEventTestParse01 is a test for a valid decode-event value + */ + +int DecodeEventTestParse01 (void) { + DetectDecodeEventData *de = NULL; + de = DetectDecodeEventParse("ipv4.pkt_too_small"); + if (de) { + DetectDecodeEventFree(de); + return 1; + } + + return 0; +} + + +/** + * \test DecodeEventTestParse02 is a test for a valid upper + lower case decode-event value + */ + +int DecodeEventTestParse02 (void) { + DetectDecodeEventData *de = NULL; + de = DetectDecodeEventParse("PPP.pkt_too_small"); + if (de) { + DetectDecodeEventFree(de); + return 1; + } + + return 0; +} + +/** + * \test DecodeEventTestParse03 is a test for a valid upper case decode-event value + */ + +int DecodeEventTestParse03 (void) { + DetectDecodeEventData *de = NULL; + de = DetectDecodeEventParse("IPV6.PKT_TOO_SMALL"); + if (de) { + DetectDecodeEventFree(de); + return 1; + } + + return 0; +} + +/** + * \test DecodeEventTestParse04 is a test for an invalid upper case decode-event value + */ + +int DecodeEventTestParse04 (void) { + DetectDecodeEventData *de = NULL; + de = DetectDecodeEventParse("IPV6.INVALID_EVENT"); + if (de) { + DetectDecodeEventFree(de); + return 1; + } + + return 0; +} + +/** + * \test DecodeEventTestParse05 is a test for an invalid char into the decode-event value + */ + +int DecodeEventTestParse05 (void) { + DetectDecodeEventData *de = NULL; + de = DetectDecodeEventParse("IPV-6,INVALID_CHAR"); + if (de) { + DetectDecodeEventFree(de); + return 1; + } + + return 0; +} + +/** + * \test DecodeEventTestParse06 is a test for match function with valid decode-event value + */ + +int DecodeEventTestParse06 (void) { + Packet p; + ThreadVars tv; + int ret = 0; + DetectDecodeEventData *de = NULL; + SigMatch *sm = NULL; + + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&p, 0, sizeof(Packet)); + + DECODER_SET_EVENT(&p,PPP_PKT_TOO_SMALL); + + de = DetectDecodeEventParse("ppp.pkt_too_small"); + if (de == NULL) + goto error; + + de->event = PPP_PKT_TOO_SMALL; + + sm = SigMatchAlloc(); + if (sm == NULL) + goto error; + + sm->type = DETECT_DECODE_EVENT; + sm->ctx = (void *)de; + + ret = DetectDecodeEventMatch(&tv,NULL,&p,NULL,sm); + + if(ret) + return 1; + +error: + if (de) free(de); + if (sm) free(sm); + return 0; +} + +/** + * \brief this function registers unit tests for DecodeEvent + */ + +void DecodeEventRegisterTests(void) { + UtRegisterTest("DecodeEventTestParse01", DecodeEventTestParse01, 1); + UtRegisterTest("DecodeEventTestParse02", DecodeEventTestParse02, 1); + UtRegisterTest("DecodeEventTestParse03", DecodeEventTestParse03, 1); + UtRegisterTest("DecodeEventTestParse04", DecodeEventTestParse04, 0); + UtRegisterTest("DecodeEventTestParse05", DecodeEventTestParse05, 0); + UtRegisterTest("DecodeEventTestParse06", DecodeEventTestParse06, 1); +} diff --git a/src/detect-decode-event.h b/src/detect-decode-event.h new file mode 100644 index 0000000000..5fe75edbbe --- /dev/null +++ b/src/detect-decode-event.h @@ -0,0 +1,55 @@ +/** Copyright (c) 2009 Open Information Security Foundation + * + * \author Breno Silva + */ + +#ifndef __DETECT_DECODE_EVENT_H__ +#define __DETECT_DECODE_EVENT_H__ + + +typedef struct DetectDecodeEventData_ { + u_int8_t event; +} DetectDecodeEventData; + +/* prototypes */ +void DetectDecodeEventRegister (void); + +/* suppoted decoder events */ + +struct DetectDecodeEvents_ { + char *event_name; + u_int8_t code; +} DEvents[] = { + "ipv4.pkt_too_small", IPV4_PKT_TOO_SMALL, + "ipv4.hlen_too_small", IPV4_HLEN_TOO_SMALL, + "ipv4.iplen_smaller_than_hlen", IPV4_IPLEN_SMALLER_THAN_HLEN, + "ipv6.pkt_too_small", IPV6_PKT_TOO_SMALL, + "ipv6.trunc_exthdr", IPV6_TRUNC_EXTHDR, + "ipv6.exthdr_dupl_fh", IPV6_EXTHDR_DUPL_FH, + "ipv6.exthdr_dupl_rh", IPV6_EXTHDR_DUPL_RH, + "ipv6.exthdr_dupl_hh", IPV6_EXTHDR_DUPL_HH, + "ipv6.exthdr_dupl_dh", IPV6_EXTHDR_DUPL_DH, + "ipv6.exthdr_dupl_ah", IPV6_EXTHDR_DUPL_AH, + "ipv6.exthdr_dupl_eh", IPV6_EXTHDR_DUPL_EH, + "ipv6.exthdr_invalid_optlen", IPV6_EXTHDR_INVALID_OPTLEN, + "tcp.pkt_too_small", TCP_PKT_TOO_SMALL, + "tcp.hlen_too_small", TCP_HLEN_TOO_SMALL, + "tcp.invalid_optlen", TCP_INVALID_OPTLEN, + "tcp.opt_invalid_len", TCP_OPT_INVALID_LEN, + "tcp.opt_duplicate", TCP_OPT_DUPLICATE, + "udp.pkt_too_small", UDP_PKT_TOO_SMALL, + "udp.hlen_too_small", UDP_HLEN_TOO_SMALL, + "udp.hlen_invalid", UDP_HLEN_INVALID, + "sll.pkt_too_small", SLL_PKT_TOO_SMALL, + "ethernet.pkt_too_small", ETHERNET_PKT_TOO_SMALL, + "ppp.pkt_too_small", PPP_PKT_TOO_SMALL, + "ppp.ju_pkt_too_small", PPPVJU_PKT_TOO_SMALL, + "ppp.ip4_pkt_too_small", PPPIPV4_PKT_TOO_SMALL, + "ppp.ip6_pkt_too_small", PPPIPV6_PKT_TOO_SMALL, + "ppp.wrong_type", PPP_WRONG_TYPE, + NULL, 0 +}; + + +#endif /*__DETECT_DECODE_EVENT_H__ */ + diff --git a/src/detect-parse.c b/src/detect-parse.c index 0b145fbe94..b3f66f9ea9 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -37,10 +37,10 @@ static u_int32_t dbg_dstportany_cnt = 0; #define CONFIG_OPTS 7 // action protocol src sp dir dst dp options -#define CONFIG_PCRE "^([A-z]+)\\s+([A-z0-9]+)\\s+([\\[\\]A-z0-9\\.\\:_\\$\\!\\-,\\/]+)\\s+([\\:A-z0-9_\\$\\!,]+)\\s+(\\<-|-\\>|\\<\\>)\\s+([\\[\\]A-z0-9\\.\\:_\\$\\!\\-,/]+)\\s+([\\:A-z0-9_\\$\\!,]+)(?:\\s+\\((.*)?(?:\\s*)\\))?(?:(?:\\s*)\\n)?$" -#define OPTION_PARTS 3 -#define OPTION_PCRE "^\\s*([A-z_0-9]+)(?:\\s*\\:\\s*(.*)(?|\\<\\>)\\s+([\\[\\]A-z0-9\\.\\:_\\$\\!\\-,/]+)\\s+([\\:A-z0-9_\\$\\!]+)(?:\\s+\\((.*)?(?:\\s*)\\))?(?:(?:\\s*)\\n)?$" +#define OPTION_PARTS 3 +#define OPTION_PCRE "^\\s*([A-z_0-9-]+)(?:\\s*\\:\\s*(.*)(?next = sig; prevsig = sig; + sig = SigInit(g_de_ctx, "alert tcp any any -> any any (msg:\"ipv4 pkt too small\"; decode-event:ipv4.pkt_too_small; sid:5;)"); + if (sig == NULL) + return; + prevsig->next = sig; + prevsig = sig; /* sig = SigInit(g_de_ctx,"alert udp any any -> any any (msg:\"ViCtOr nocase test\"; sid:4; rev:13; content:\"ViCtOr!!\"; offset:100; depth:150; nocase; content:\"ViCtOr!!\"; nocase; offset:99; depth:150;)"); if (sig == NULL) @@ -658,6 +663,8 @@ static int SignatureIsIPOnly(DetectEngineCtx *de_ctx, Signature *s) { return 0; } else if (sm->type == DETECT_DSIZE) { return 0; + } else if (sm->type == DETECT_DECODE_EVENT) { + return 0; } } @@ -2592,6 +2599,7 @@ void SigTableSetup(void) { DetectPktvarRegister(); DetectNoalertRegister(); DetectFlowbitsRegister(); + DetectDecodeEventRegister(); u_int8_t i = 0; for (i = 0; i < DETECT_TBLSIZE; i++) { diff --git a/src/detect.h b/src/detect.h index 8d9a8cd575..d0bea15f76 100644 --- a/src/detect.h +++ b/src/detect.h @@ -382,7 +382,7 @@ enum { DETECT_ADDRESS, DETECT_PROTO, DETECT_PORT, - + DETECT_DECODE_EVENT, /* make sure this stays last */ DETECT_TBLSIZE, }; diff --git a/src/eidps.c b/src/eidps.c index 41e082d2af..bd3731a51d 100644 --- a/src/eidps.c +++ b/src/eidps.c @@ -885,6 +885,7 @@ int main(int argc, char **argv) SigRegisterTests(); PerfRegisterTests(); DecodePPPRegisterTests(); + DecodeEventRegisterTests(); if (argc > 1&& (strcmp(argv[1],"runtests") == 0)) { UtRunTests(); } @@ -930,8 +931,8 @@ int main(int argc, char **argv) gettimeofday(&start_time, NULL); //RunModeIpsNFQ(); - //RunModeIdsPcap(argv[1]); - RunModeFilePcap(argv[1]); + RunModeIdsPcap(argv[1]); + //RunModeFilePcap(argv[1]); //RunModeFilePcap2(argv[1]); ThreadVars tv_flowmgr; From b6d55f84acf85ee9bc5582e7dc2cad754c2e7ee5 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 11 Aug 2009 07:04:05 +0200 Subject: [PATCH 2/3] Revert default runmode change. Fix running decode event unittests twice. --- src/eidps.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/eidps.c b/src/eidps.c index bd3731a51d..41e082d2af 100644 --- a/src/eidps.c +++ b/src/eidps.c @@ -885,7 +885,6 @@ int main(int argc, char **argv) SigRegisterTests(); PerfRegisterTests(); DecodePPPRegisterTests(); - DecodeEventRegisterTests(); if (argc > 1&& (strcmp(argv[1],"runtests") == 0)) { UtRunTests(); } @@ -931,8 +930,8 @@ int main(int argc, char **argv) gettimeofday(&start_time, NULL); //RunModeIpsNFQ(); - RunModeIdsPcap(argv[1]); - //RunModeFilePcap(argv[1]); + //RunModeIdsPcap(argv[1]); + RunModeFilePcap(argv[1]); //RunModeFilePcap2(argv[1]); ThreadVars tv_flowmgr; From 63d32f723f5bcc4603035cbb5b439399e2b53291 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 11 Aug 2009 08:10:56 +0200 Subject: [PATCH 3/3] Fix decode event compiler warning. --- src/detect-decode-event.c | 30 +-------------------- src/detect-decode-event.h | 56 +++++++++++++++++++-------------------- 2 files changed, 29 insertions(+), 57 deletions(-) diff --git a/src/detect-decode-event.c b/src/detect-decode-event.c index 716806da44..66334aec87 100644 --- a/src/detect-decode-event.c +++ b/src/detect-decode-event.c @@ -3,7 +3,6 @@ * \author Breno Silva */ - #include "decode.h" #include "detect.h" #include "flow-var.h" @@ -18,7 +17,6 @@ #include #include -/* XXX VJ stricter regex */ #define PARSE_REGEX "\\S[0-9A-z_]+[.][A-z+]+$" static pcre *parse_regex; @@ -32,7 +30,6 @@ void DecodeEventRegisterTests(void); /** * \brief Registration function for decode-event: keyword */ - void DetectDecodeEventRegister (void) { sigmatch_table[DETECT_DECODE_EVENT].name = "decode-event"; sigmatch_table[DETECT_DECODE_EVENT].Match = DetectDecodeEventMatch; @@ -76,12 +73,9 @@ error: * \retval 0 no match * \retval 1 match */ - - int DetectDecodeEventMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, Signature *s, SigMatch *m) { int ret = 0; - DetectDecodeEventData *de = (DetectDecodeEventData *)m->ctx; if(de && DECODER_ISSET_EVENT(p, de->event)) @@ -98,46 +92,37 @@ int DetectDecodeEventMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p, * \retval de pointer to DetectFlowData on success * \retval NULL on failure */ - - DetectDecodeEventData *DetectDecodeEventParse (char *rawstr) { - int i; DetectDecodeEventData *de = NULL; #define MAX_SUBSTRINGS 30 int ret = 0, res = 0, found = 0; int ov[MAX_SUBSTRINGS]; - ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS); - if (ret < 1) { goto error; } const char *str_ptr; - res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 0, &str_ptr); if (res < 0) { goto error; } - - for(i=0; DEvents[i].event_name != NULL; i++) { + for(i = 0; DEvents[i].event_name != NULL; i++) { if((strncasecmp(DEvents[i].event_name,str_ptr,strlen(DEvents[i].event_name))) == 0) { found = 1; break; } } - if(found == 0) goto error; de = malloc(sizeof(DetectDecodeEventData)); - if (de == NULL) { printf("DetectDecodeEventSetup malloc failed\n"); goto error; @@ -162,8 +147,6 @@ error: * \retval 0 on Success * \retval -1 on Failure */ - - int DetectDecodeEventSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) { DetectDecodeEventData *de = NULL; @@ -187,8 +170,6 @@ error: if (de) free(de); if (sm) free(sm); return -1; - - return 0; } /** @@ -196,8 +177,6 @@ error: * * \param de pointer to DetectDecodeEventData */ - - void DetectDecodeEventFree(DetectDecodeEventData *de) { if(de) free(de); } @@ -209,7 +188,6 @@ void DetectDecodeEventFree(DetectDecodeEventData *de) { /** * \test DecodeEventTestParse01 is a test for a valid decode-event value */ - int DecodeEventTestParse01 (void) { DetectDecodeEventData *de = NULL; de = DetectDecodeEventParse("ipv4.pkt_too_small"); @@ -225,7 +203,6 @@ int DecodeEventTestParse01 (void) { /** * \test DecodeEventTestParse02 is a test for a valid upper + lower case decode-event value */ - int DecodeEventTestParse02 (void) { DetectDecodeEventData *de = NULL; de = DetectDecodeEventParse("PPP.pkt_too_small"); @@ -240,7 +217,6 @@ int DecodeEventTestParse02 (void) { /** * \test DecodeEventTestParse03 is a test for a valid upper case decode-event value */ - int DecodeEventTestParse03 (void) { DetectDecodeEventData *de = NULL; de = DetectDecodeEventParse("IPV6.PKT_TOO_SMALL"); @@ -255,7 +231,6 @@ int DecodeEventTestParse03 (void) { /** * \test DecodeEventTestParse04 is a test for an invalid upper case decode-event value */ - int DecodeEventTestParse04 (void) { DetectDecodeEventData *de = NULL; de = DetectDecodeEventParse("IPV6.INVALID_EVENT"); @@ -270,7 +245,6 @@ int DecodeEventTestParse04 (void) { /** * \test DecodeEventTestParse05 is a test for an invalid char into the decode-event value */ - int DecodeEventTestParse05 (void) { DetectDecodeEventData *de = NULL; de = DetectDecodeEventParse("IPV-6,INVALID_CHAR"); @@ -285,7 +259,6 @@ int DecodeEventTestParse05 (void) { /** * \test DecodeEventTestParse06 is a test for match function with valid decode-event value */ - int DecodeEventTestParse06 (void) { Packet p; ThreadVars tv; @@ -326,7 +299,6 @@ error: /** * \brief this function registers unit tests for DecodeEvent */ - void DecodeEventRegisterTests(void) { UtRegisterTest("DecodeEventTestParse01", DecodeEventTestParse01, 1); UtRegisterTest("DecodeEventTestParse02", DecodeEventTestParse02, 1); diff --git a/src/detect-decode-event.h b/src/detect-decode-event.h index 5fe75edbbe..67f0a69d50 100644 --- a/src/detect-decode-event.h +++ b/src/detect-decode-event.h @@ -20,34 +20,34 @@ struct DetectDecodeEvents_ { char *event_name; u_int8_t code; } DEvents[] = { - "ipv4.pkt_too_small", IPV4_PKT_TOO_SMALL, - "ipv4.hlen_too_small", IPV4_HLEN_TOO_SMALL, - "ipv4.iplen_smaller_than_hlen", IPV4_IPLEN_SMALLER_THAN_HLEN, - "ipv6.pkt_too_small", IPV6_PKT_TOO_SMALL, - "ipv6.trunc_exthdr", IPV6_TRUNC_EXTHDR, - "ipv6.exthdr_dupl_fh", IPV6_EXTHDR_DUPL_FH, - "ipv6.exthdr_dupl_rh", IPV6_EXTHDR_DUPL_RH, - "ipv6.exthdr_dupl_hh", IPV6_EXTHDR_DUPL_HH, - "ipv6.exthdr_dupl_dh", IPV6_EXTHDR_DUPL_DH, - "ipv6.exthdr_dupl_ah", IPV6_EXTHDR_DUPL_AH, - "ipv6.exthdr_dupl_eh", IPV6_EXTHDR_DUPL_EH, - "ipv6.exthdr_invalid_optlen", IPV6_EXTHDR_INVALID_OPTLEN, - "tcp.pkt_too_small", TCP_PKT_TOO_SMALL, - "tcp.hlen_too_small", TCP_HLEN_TOO_SMALL, - "tcp.invalid_optlen", TCP_INVALID_OPTLEN, - "tcp.opt_invalid_len", TCP_OPT_INVALID_LEN, - "tcp.opt_duplicate", TCP_OPT_DUPLICATE, - "udp.pkt_too_small", UDP_PKT_TOO_SMALL, - "udp.hlen_too_small", UDP_HLEN_TOO_SMALL, - "udp.hlen_invalid", UDP_HLEN_INVALID, - "sll.pkt_too_small", SLL_PKT_TOO_SMALL, - "ethernet.pkt_too_small", ETHERNET_PKT_TOO_SMALL, - "ppp.pkt_too_small", PPP_PKT_TOO_SMALL, - "ppp.ju_pkt_too_small", PPPVJU_PKT_TOO_SMALL, - "ppp.ip4_pkt_too_small", PPPIPV4_PKT_TOO_SMALL, - "ppp.ip6_pkt_too_small", PPPIPV6_PKT_TOO_SMALL, - "ppp.wrong_type", PPP_WRONG_TYPE, - NULL, 0 + { "ipv4.pkt_too_small", IPV4_PKT_TOO_SMALL, }, + { "ipv4.hlen_too_small", IPV4_HLEN_TOO_SMALL, }, + { "ipv4.iplen_smaller_than_hlen", IPV4_IPLEN_SMALLER_THAN_HLEN, }, + { "ipv6.pkt_too_small", IPV6_PKT_TOO_SMALL, }, + { "ipv6.trunc_exthdr", IPV6_TRUNC_EXTHDR, }, + { "ipv6.exthdr_dupl_fh", IPV6_EXTHDR_DUPL_FH, }, + { "ipv6.exthdr_dupl_rh", IPV6_EXTHDR_DUPL_RH, }, + { "ipv6.exthdr_dupl_hh", IPV6_EXTHDR_DUPL_HH, }, + { "ipv6.exthdr_dupl_dh", IPV6_EXTHDR_DUPL_DH, }, + { "ipv6.exthdr_dupl_ah", IPV6_EXTHDR_DUPL_AH, }, + { "ipv6.exthdr_dupl_eh", IPV6_EXTHDR_DUPL_EH, }, + { "ipv6.exthdr_invalid_optlen", IPV6_EXTHDR_INVALID_OPTLEN, }, + { "tcp.pkt_too_small", TCP_PKT_TOO_SMALL, }, + { "tcp.hlen_too_small", TCP_HLEN_TOO_SMALL, }, + { "tcp.invalid_optlen", TCP_INVALID_OPTLEN, }, + { "tcp.opt_invalid_len", TCP_OPT_INVALID_LEN, }, + { "tcp.opt_duplicate", TCP_OPT_DUPLICATE, }, + { "udp.pkt_too_small", UDP_PKT_TOO_SMALL, }, + { "udp.hlen_too_small", UDP_HLEN_TOO_SMALL, }, + { "udp.hlen_invalid", UDP_HLEN_INVALID, }, + { "sll.pkt_too_small", SLL_PKT_TOO_SMALL, }, + { "ethernet.pkt_too_small", ETHERNET_PKT_TOO_SMALL, }, + { "ppp.pkt_too_small", PPP_PKT_TOO_SMALL, }, + { "ppp.ju_pkt_too_small", PPPVJU_PKT_TOO_SMALL, }, + { "ppp.ip4_pkt_too_small", PPPIPV4_PKT_TOO_SMALL, }, + { "ppp.ip6_pkt_too_small", PPPIPV6_PKT_TOO_SMALL, }, + { "ppp.wrong_type", PPP_WRONG_TYPE, }, + { NULL, 0 }, };